package org.springframework.security.oauth2.server.authorization.authentication;

import java.net.URL;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.convert.TypeDescriptor;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.converter.ClaimConversionService;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenIntrospection;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.0.2.jar:org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProvider.class */
public final class OAuth2TokenIntrospectionAuthenticationProvider implements AuthenticationProvider {
    private static final TypeDescriptor OBJECT_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Object.class);
    private static final TypeDescriptor LIST_STRING_TYPE_DESCRIPTOR = TypeDescriptor.collection(List.class, TypeDescriptor.valueOf(String.class));
    private final Log logger = LogFactory.getLog(getClass());
    private final RegisteredClientRepository registeredClientRepository;
    private final OAuth2AuthorizationService authorizationService;

    public OAuth2TokenIntrospectionAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.authorizationService = oAuth2AuthorizationService;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2TokenIntrospectionAuthenticationToken oAuth2TokenIntrospectionAuthenticationToken = (OAuth2TokenIntrospectionAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient(oAuth2TokenIntrospectionAuthenticationToken);
        OAuth2Authorization findByToken = this.authorizationService.findByToken(oAuth2TokenIntrospectionAuthenticationToken.getToken(), null);
        if (findByToken == null) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Did not authenticate token introspection request since token was not found");
            }
            return oAuth2TokenIntrospectionAuthenticationToken;
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved authorization with token");
        }
        OAuth2Authorization.Token token = findByToken.getToken(oAuth2TokenIntrospectionAuthenticationToken.getToken());
        if (!token.isActive()) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Did not introspect token since not active");
            }
            return new OAuth2TokenIntrospectionAuthenticationToken(oAuth2TokenIntrospectionAuthenticationToken.getToken(), authenticatedClientElseThrowInvalidClient, OAuth2TokenIntrospection.builder().build());
        }
        OAuth2TokenIntrospection withActiveTokenClaims = withActiveTokenClaims(token, this.registeredClientRepository.findById(findByToken.getRegisteredClientId()));
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Authenticated token introspection request");
        }
        return new OAuth2TokenIntrospectionAuthenticationToken(token.getToken().getTokenValue(), authenticatedClientElseThrowInvalidClient, withActiveTokenClaims);
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return OAuth2TokenIntrospectionAuthenticationToken.class.isAssignableFrom(cls);
    }

    private static OAuth2TokenIntrospection withActiveTokenClaims(OAuth2Authorization.Token<OAuth2Token> token, RegisteredClient registeredClient) {
        OAuth2TokenIntrospection.Builder active = !CollectionUtils.isEmpty(token.getClaims()) ? OAuth2TokenIntrospection.withClaims(convertClaimsIfNecessary(token.getClaims())).active(true) : OAuth2TokenIntrospection.builder(true);
        active.clientId(registeredClient.getClientId());
        OAuth2Token token2 = token.getToken();
        if (token2.getIssuedAt() != null) {
            active.issuedAt(token2.getIssuedAt());
        }
        if (token2.getExpiresAt() != null) {
            active.expiresAt(token2.getExpiresAt());
        }
        if (OAuth2AccessToken.class.isAssignableFrom(token2.getClass())) {
            active.tokenType(((OAuth2AccessToken) token2).getTokenType().getValue());
        }
        return active.build();
    }

    private static Map<String, Object> convertClaimsIfNecessary(Map<String, Object> map) {
        Object convert;
        Object convert2;
        URL url;
        HashMap hashMap = new HashMap(map);
        Object obj = map.get("iss");
        if (obj != null && !(obj instanceof URL) && (url = (URL) ClaimConversionService.getSharedInstance().convert(obj, URL.class)) != null) {
            hashMap.put("iss", url);
        }
        Object obj2 = map.get("scope");
        if (obj2 != null && !(obj2 instanceof List) && (convert2 = ClaimConversionService.getSharedInstance().convert(obj2, OBJECT_TYPE_DESCRIPTOR, LIST_STRING_TYPE_DESCRIPTOR)) != null) {
            hashMap.put("scope", convert2);
        }
        Object obj3 = map.get("aud");
        if (obj3 != null && !(obj3 instanceof List) && (convert = ClaimConversionService.getSharedInstance().convert(obj3, OBJECT_TYPE_DESCRIPTOR, LIST_STRING_TYPE_DESCRIPTOR)) != null) {
            hashMap.put("aud", convert);
        }
        return hashMap;
    }
}
